Title: Message
What is the file format
for the spamdomains.txt file?
I'm looking at the file
but can't figure it out and can't find a description of the format anywhere.
Paul
Fuhrmeister
Here's the X-Declude-Sender in a spam message. It includes my domain name
and a ?:
X-Declude-Sender: [EMAIL PROTECTED]
[65.249.245.10]
How would one add weight if there's a ? in the X-Declude-Sender? I assume
this is a valid test to add weight.
[EMAIL PROTECTED]
---
[This E-mail was scanned
and check the first 250 characters of the
message body or something, but it doesn't deal with html.
I can post the source code if anyone's interested (it' Visual Basic complied
to an exe).
Paul Fuhrmeister
[EMAIL PROTECTED]
From: [EMAIL PROTECTED]
[mailto
Yes, it does get caught.
Our filtered word list includes vagra
If the program does not see vagra before stripping non-alpha characters, but
does after stripping, the subject line fails.
We have only 38 words in our list, here's the last of it:
valium
valum
Vcodin
vagra
viagr
viagra
Vicdin
Using JunkMail Pro,
I am not clear on the WhiteListFiles option.
My $default$.junkmail file currently looks like this:
AHBLWARN
DSBLMulti WARN
CBL WARN
DSBLWARN
ORDBWARN
... Etc ...
Using the WhitelistFiles option, my would look like
1. We have multiple domains, and want each to be able to create their own
white list
2. We have a program that copies the $default$.junkmail files out to the per
domain directories so making changes is easy.
To make this easy on us,
If we use: WHITELISTFILE mywhitelist.txt
instead of:
I currently have 9 sorbs.net lookups:
SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 5 0
SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 5 0
SORBS-MISC ip4rdnsbl.sorbs.net 127.0.0.4 5 0
SORBS-SMTP ip4r
I notice the njabl test is not a standard test in the sample Declude
JunkMail config file:
# The following tests are commented out by
default because they are not commonly used
# NJABL ip4r dnsbl.njabl.org 127.0.0.2 5 0
Is this test worth the machine time doing the lookup?
[EMAIL
it?
Paul Fuhrmeister
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can
it?
Paul Fuhrmeister
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail. The archives can
/q Badmail_08
rd Badmail_08
Paul Fuhrmeister
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of decjunkmail
Sent: Saturday, May 08, 2004 12:36 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] OT: disabling NDR's/badmail dir
or CPU difference?
Paul Fuhrmeister
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.JunkMail
Thank you Bill and Roger for sharing your excellent work.
[EMAIL PROTECTED]
The scripts run under both Windows NT 4 and Windows 2000. They are
pure Windows command scripts and therefore not as fast as some of the
other log analysis tools. The analyses below took about one minute
each
Since my weights are all so close I could make them the same.
Is there a way to combined these 8 tests into 1 to determine if it failed
any if the tests? That is, IF NOT 127.0.0.0, or what ever their OK response
is? Does it really matter?
Paul Fuhrmeister
[EMAIL PROTECTED]
If the following
BLOCKTEXT test (line 394, weight 7)
X-Declude-Sender: [EMAIL PROTECTED] [24.5.121.88]
X-Declude-Spoolname: D2d2c2f4000be40bf.SMD
X-RCPT-TO: [EMAIL PROTECTED]
Status: U
X-UIDL: 1049636097
Paul Fuhrmeister
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http
not
understand the filter Matt referenced earlier
(
MAILFROM END ENDSWITH @comcast.net
REVDNS 5 ENDSWITH client.comcast.net
)
Where is that filtering documented? Archives?
Paul Fuhrmeister
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http
-spam tests
If I use IMail Antispam to add an X-Header for statistical filtering and
HTML features detection, would Declude JunkMail see it? Or are those IMail
tests after JunkMail?
Paul Fuhrmeister
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http
If the following is in the Global.cfg file, is it true that
dnsbl.sorbs.net will be queried once and the result will be
evaluated 8 times?
SORBS-HTTP ip4rdnsbl.sorbs.net 127.0.0.2 5 0
SORBS-SOCKS ip4rdnsbl.sorbs.net 127.0.0.3 5 0
SORBS-MISC ip4r
Wesetup Store and Forward (Imail 8.05, Declude JunkMail Pro) and everything
seems to work correctly.
But, The manual and archives talk about Outgoing Actions.
We have a declude/domainname.com directory with a $default$.junkmail file.
Do those tests get performed on the outbound email or is
Thanks Scott.
I think I understand. I guess I'll wait and see what happens.
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Monday, March 29, 2004 4:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.JunkMail]
I'll explain the issue and then ask the question.
We are having trouble with a spammer who registers new domain names every
day and spams our customers from a DSL line with a dynamic ip. They changes
the text a bit each time, leaving us nothing to filter on except this, from
(unix) whois lookups:
Let me re-state the point:
If the recipient's domain name is in the left hand side of the sender's
address (to the left of the @) then it's probably from a list server. You
could also look for the word bounce in the sender address.
I don't see how sending through an ISP SMTP server is relevant.
Is there a test that tells me if the recipient's domain name is in the
sender address? It seems this would be a good tip-off that it's bulk mail,
AND IF from a DUL OR listed in SpamCop, MailPolice, etc. it's THEN it's
probably spam.
X-RBL-Warning: AHBL: 1067376393 bruns - Spam Source -
Looking on the bondedsender.com web site, I see no where to report things
like this:
Received: from adsl-68-78-114-74.dsl.emhril.ameritech.net
(adsl-68-78-114-74.dsl.emhril.ameritech.net [68.78.114.74])
Received: from ebay.com (data.ebay.com [66.135.195.180])
From: eBay Service [EMAIL PROTECTED]
I see this in the headers of spam:
Received: from uk2.net (unknown [61.155.209.7])
Is this something I can add weight on? I assume it's a clue.
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the
What version / release do we need to be running to use this test?
CMDSPACEcmdspacex x 8 0
[EMAIL PROTECTED]
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.JunkMail mailing list. To
I put this in the $default$.junkmail and it doesn't work. Things get routed
but not attached.
WEIGHT20ATTACH
WEIGHT20ROUTETO [EMAIL PROTECTED]
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Monday,
Scott,
We use the ROUTETO action on suspected spam to take it out of the user's
mail stream.
When users forward false positives to me from the abuse box I don't get the
headers. Without the headers I have to do a good deal of work to determine
why the message failed. The users (customers), for
SpamCop blocked the ActiveServerPages list at 15seconds.com (which is not a
source of spam):
List-Unsubscribe: mailto:[EMAIL PROTECTED]
X-RBL-Warning: SPAMCOP: Blocked - see http://www.spamcop.net/bl.shtml?
The problem with SpamCop is, it's only as reliable as it's users. It would
appear that
What is the address we can use for DNSStuff.com and DNSReport.com? I know
this has been on the list a few time, but I didn't save those emails and
can't find it in the archives.
These two domain names are not working for me.
server ns1.easydns.com
Default Server: ns1.easydns.com
Address:
Scott,
If I could assign a weight to a combination of tests . . .
Specifically, if a message fails both SpamCop and NOLEGITCONTENT (meaning it
has no legitimate content) it is almost certainly junk.
SpamCop ID's more spam than anything else, but the flip side of that is
false positives.
I
I can not find this in the archive . . .
I have a mail domain with three different domain names:
Official Host Name: TripleBDomain.com
Host Aliases: 3BDomain.com, 3BD.com
Do I need to set up Decule Virus and Junk Mail for each domain name?
[EMAIL PROTECTED]
---
[This E-mail was scanned for
I'm confused.
I have :
Official Host Name: TripleBDomain.com
Host Aliases: 3BDomain.com, 3BD.com
Some users use the TripleBDomain.com domain name for their email
([EMAIL PROTECTED] and [EMAIL PROTECTED])
Other users use the 3BD.com domain name:
([EMAIL PROTECTED])
Yet another uses [EMAIL
Yes, I have per-domain settings.
I do not scan their mail for spam unless they pay for it. So, I turn the
domains on individually.
I assume I need to set up each individual domain in Declude.
[EMAIL PROTECTED]
You will only need to do something special if you set up per-user or
On the Filtering (Pro version) - create your own filters, similar to the
filters in IMail,
1. Is there a space character like iMail filters (/s)
For example:
BODY 3 CONTAINS /ssex/s
2. Realistically, how many rules can you put in a filter file.
[EMAIL PROTECTED]
---
[This E-mail was
We have a customer who subscribes to a real estate service that sends info
via a list serv. The messages are being diverted because they fail a few too
many tests.
How do we white-list list serv messages when they come from the subscribers,
not from the list?
Here are some headers:
From:
We are having trouble white-listing a couple of YahooGroup Discussion
Groups.
The messages are not from the group, they are from the group members,
and they often fail our spam tests for various reasons.
How would one go about white-listing a specific YahooGroup (or other)
discussion group?
The project is to set up a dns server to list spam-vertised domain
names, plus all of the opt-in services domain names.
Right. And are you successfully updating the name server at this
point? This was some of the confusion: some people were giving
suggestions for DNS server
server, look up the domain name, if
it resolves, it's a spamvertised domain.
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Sanford
Whiteman
Sent: Monday, January 27, 2003 10:03 PM
To: Paul Fuhrmeister
Subject: Re: [Declude.JunkMail
We need to do a Windows API call to WINSOCK.DLL
- GetHostByAddr and
- GetHostByName
Need to do it in an ASP page and in a server side .exe (VB6).
It's for a project where we're running a name server with spam-vertised
domain names, IP Numbers and phone numbers. We have an .exe to pick them
Valid emails are being caught by Declude Virus:
Virus Name.: [Conflicting Encoding Vulnerability]
This seems to happen when someone forwards a good html formatted email.
It's a big issue here because we send out html formatted invoices via
email and they're ending up in the virus directory when
41 matches
Mail list logo